A Bastion host is a gateway to accessing other hosts. It is a safeguard against admin error.

# Etymology
Bastion hosts are named because they are the first line of defense against administrative error -- they prevent admins from being locked out of correcting their changes.

# Capacity and Components
A Bastion host needs minimal CPU or memory.

# Hosted Services and Entities
Nothing is hosted by a Bastion.

# Connections
See [[:Category:Entity|the entity list]] -- any host should be able to connect to a Bastion with [[SSH]] and X11, and it should be able to dial to any service provider.

# Additional Reference
Bastion hosts should be deployed alongside any Hypervisor and set to start on boot. The encrypted credentials volume should be encrypted per [[ShadowArch]]'s recommendations, and it should not be added to /etc/fstab or /etc/crypttab.

To create a Bastion:
1.  Create a new VM in the Hypervisor and mark it to start on boot. For an example Hypervisor, see [[Forge2]].
1.  Install ShadowArch with the Spartacus layout and without encryption or GUI -- encryption complicates boot and GUI is unnecessary. Applications with GUI will be X11-forwarded.
1.  Log in as root and convert the exfat partition from the Spartacus layout to an encrypted ext4 or xfs one.
1.  "make -C /usr/local/src/ConfigPackages/Bastion install"
1.  Log in as the bastion user on the new VM and run new-ssh-key for each [[SSH]]-capable host.
1.  Set a NAT rule in the router to allow access to the Bastion host on a non-22 port.
}}